Version 1.8.1

New Features

• Add optional /_shutdown endpoint on status port for terminating via HTTP POST. Can be enabled via the --enable-shutdown flag (by @drcapulet in #466).
• On Windows, add support for using LOCAL_MACHINE and CURRENT_SERVICE key stores. Was previously limited to the CURRENT_USER key store (by @csstaub in #476).

Bug Fixes

• Better landlock rule processing to handle flags that can be both host:port or URLs correctly (by @csstaub in #475)

Full Changelog: v1.8.0...v1.8.1

Version 1.8.0

New Features

• Add support for systemd watchdog timer (@csstaub in #427). Ghostunnel can now be watched by systemd using the WatchdogSec option. If Ghostunnel fails to respond, systemd will automatically relaunch it. See docs/WATCHDOG.md for an example service file.
• Implement landlock support to limit process privileges on Linux (@csstaub in #431). If started with the --use-landlock flag, Ghostunnel will call upon landlock on Linux to limit access to files and sockets. This is an experimental feature, please give it a try and let us know if you run into any issues.

Bug Fixes

• Avoid use of deprecated SecTrustGetCertificateAtIndex (@csstaub in #426)
• Fix nil ptr deref on Windows/Linux when keychain flags are used (@csstaub in #448)
• Close files properly and remove refs to deprecated io/ioutil (@testwill in #453 and #454)
• Fix RSA-PSS for Windows platform keys (@csstaub in #459 and #469)

Other Changes

• Upgrade to Go 1.22 (@csstaub in #419)
• Upgrade go-jose to v4.0.1 (@mcpherrinm in #423)
• Upgrade go-spiffe (@mcpherrinm in #429)
• Various other dependency updates via @dependabot

Full Changelog: v1.7.3...v1.8.0

Version 1.8.0-rc.2

Bug Fixes

• Close files properly by @testwill in #453
• Remove refs to deprecated io/ioutil by @testwill in #454
• Fix RSA-PSS for Windows platform keys by @csstaub in #459

Full Changelog: v1.8.0-rc.1...v1.8.0-rc.2

Version 1.8.0-rc.1

New Features

• Add support for systemd watchdog timer (@csstaub in #427). Ghostunnel can now be watched by systemd using the WatchdogSec option. If Ghostunnel fails to respond, systemd will automatically relaunch it. See docs/WATCHDOG.md for an example service file.
• Implement landlock support to limit process privileges on Linux (@csstaub in #431). If started with the --use-landlock flag, Ghostunnel will call upon landlock on Linux to limit access to files and sockets. This is an experimental feature, please give it a try and let us know if you run into any issues.

Bug Fixes

• Avoid use of deprecated SecTrustGetCertificateAtIndex (@csstaub in #426)
• Fix nil ptr deref on Windows/Linux when keychain flags are used (@csstaub in #448)

Other Changes

• Upgrade to Go 1.22 (@csstaub in #419)
• Upgrade go-jose to v4.0.1 (@mcpherrinm in #423)
• Upgrade go-spiffe (@mcpherrinm in #429)
• Various other dependency updates via @dependabot

Full Changelog: v1.7.3...v1.8.0-rc.1

Version 1.7.3

Changes

• Fix bug in flag handling for disabling auth in server mode when using SPIFFE workload API (#418)
• Bump dependency versions and minor fixes (#411, #409, #414, #413)

Version 1.7.2

Changes

• Updated Go toolchain and bumped all dependencies to latest versions (#411)
• Avoid setting GetCertificate for SPIFFE in client mode if auth is disabled (#407)

Plus some miscellaneous fixes & build changes (#405, #399, #401, #397, #395)

Full Changelog: v1.7.1...v1.7.2

Version 1.7.1

Changes

• Reload OPA policies during reload (#381)
• Bump Go version in Docker container to 1.19 (#383)
• Provide darwin-arm64/universal release binaries (#388)

Version 1.7.0

Changes

• Update to Go 1.19 for release builds & bump dependencies
• Fix a memory leak in HTTP status checking (#379, thanks @phamann)
• Add support for OPA to allow auth based on Rego policies (#374, thanks @spacedub)
• Update to latest go-spiffe for better Windows support (#371, thanks @MarcosDY)

Version 1.7.0-rc.1

Changes

• Update to Go 1.19 for release builds & bump dependencies
• Fix a memory leak in HTTP status checking (#379, thanks @phamann)
• Add support for OPA to allow auth based on Rego policies (#374, thanks @spacedub)
• Update to latest go-spiffe for better Windows support (#371, thanks @MarcosDY)

Version 1.6.1

Changes

• Add support for HTTP status endpoints for targets (#365, thanks to @mccurdyc)
• Support for filtering keychain identities by serial and/or issuer (#352)
• Add initial ACME support in server mode (#348, thanks to @ryankoski)
• Better connect proxy resolution handling (#357, #360)